TCP/IP Subscriber Configuration Information

Overview

This page contains the information that subscriber network managers will need to plan and configure their connection to the SCCo ARES/RACES network. The configuration model is analgous to a commercial ISP connection with static addresses. But more flexibility is provided to allow for each agency's unique networking needs.

This configuration page assumes basic TCP/IP knowledge such as subnetting and static routing. Connectivity to the SCCo ARES/RACES network is best managed by someone with TCP/IP knowledge. If you need help, consult our TCP/IP user group.

Network Addressing

SCCo ARES/RACES Network Addresses

The following network address ranges are reserved for the SCCo ARES/RACES Data Network. If you are using private IP address space within your local network, be sure to use addresses other than the ones below.

SCCo ARES/RACES Core Network

10.240.0.0/12 (mask 255.240.0.0)

Includes 10.240.0.0 - 10.255.255.255

Used for the SCCo ARES/RACES core network, including the servers that you will use (packet, email, DNS, etc.)

The SCCo ARES/RACES network team has management control of all devices in this range

SCCo ARES/RACES Access and Subscriber Networks

10.232.0.0/13
(mask 255.248.0.0)

Includes: 10.232.0.0 - 10.239.255.255

Used for handoff networks between the SCCo ARES/RACES network and subscribers

Subscribers have management control of one or more devices in this range

You can easily identify other SCCo ARES/RACES network subscribers (such as users from other cities) by these source addresses. This lets you configure your firewall to either allow or deny users from other subscriber sites from accessing servers on your network.

Subscriber Networks

Exclusive /24 address space for each subscriber

Each subscriber will have exclusive use of a /24 IP address space (254 addresses; mask = 255.255.255.0) from the "Access and Subcriber Networks" range of addresses listed above.

For purposes of this documentation, we'll refer to the address space as a.b.c.0/24 (network a.b.c.0, mask 255.255.255.0).

/29 handoff subnet

Within the subscriber's address space, the last /29 subnet, a.b.c.240/29 (mask = 255.255.255.240), will be used for a handoff subnet. The address assignments are as follows:

a.b.c.240: Network number (no hosts allowed)

a.b.c.241: Subscriber's gateway/firewall

a.b.c.242-247: Subscriber hosts - statically assigned addresses

a.b.c.248-251: Subscriber hosts - dynamically assigned by DHCP

a.b.c.252-253: Reserved for SCCo ARES/RACES testing/diagnostics

a.b.c.254: SCCo ARES/RACES gateway

a.b.c.255: Broadcast address (no hosts allowed)

This arrangement has several advantages

Consistent addressing for gateways. When a disaster strikes and documentation is hard to reach, consistent, simple rules are easier to follow.

Six static addresses for appliances, servers, or source/destination NATing

Four dynamically assigned addresses makes it easy to hook up a few devices for initial connectivity or testing/diagnostics

Although inadvisable for security reasions, the six static addresses and four dynamic addresses can be used for simple configurations where the subscriber has no other firewall or networks to attach.

The remaining 239 addresses (a.b.c.1-239) in the /24 address space are available for use by the subscriber for further subnetting.

Network ingress filtering

The SCCo ARES/RACES network will drop all inbound traffic (from subscribers) if the source address is not within the subscriber's assigned address space. This is commonly called "network ingress filtering" and is used to prevent IP address spoofing. It is documented in RFC 2827, BCP 38.

This means that subscribers with larger networks that use addresses other than their assigned /24 address space will need to NAT (Network Address Translation) their other addresses into one or more addresses in their assigned /24 address range. The /24 address space provides plenty of space for NATing.

Subscriber Host Configuration

Subscribers are STRONGLY encouraged to install their own firewall between their network and the SCCo ARES/RACES network. While we endevour to maintain high security within the SCCo ARES/RACES network, configuration mistakes and software bugs can occur. And new types of threats will always emerge in the future. Subcribers should take charge of their own security by installing and managing their own firewall (see the next section).

That said, subscribers that choose to place hosts directly on the handoff subnet can either configure them statically or use DHCP provided by the SCCo ARES/RACES gateway.

Static Configuration

IP Address:

Choose a unique address in the range of: a.b.c.{242-247}, where a.b.c.0 is the subscriber's assigned IP address space.

You need to use the internal DNS servers provided in order to reach our internal hostnames. They also resolve external, Internet hostnames.

The closest/best DNS servers to use depends on where you connect to the network. A primary and secondary DNS server will be provided to your team's primary network contact along with other details specific to your connection.

Automatically assigned as the closest/best choices for your connection

Subscriber Firewall Configuration

Subscriber firewall configurations vary, depending on the firewall vendor and the subscriber's specific network configuration requirements. The following general configuration will work for most subscribers and can be adjusted as needed.

Interfaces:

Handoff Subnet (interface facing the SCCo ARES/RACES network)

IP address: a.b.c.241

Network Mask: 255.255.255.240

Default gateway: see "Routing" discussion below

Other Interfaces

Consult your primary network contact

Routing:

The IP address of the SCCo ARES/RACES network gateway will be the last address in each subscriber network: a.b.c.254. How routes and default gateways are configured depends on whether or not the subscriber's network connects to other networks.

If the subscriber has no other network connection

Configure a default route/gateway:

Destination: 0.0.0.0/0 (mask 0.0.0.0)

Next Hop Gateway: a.b.c.254

Metric: 1 (or whatever fits the subscriber's routing scheme)

If the subscriber has other network connections (such as a city network which may or may not also connect to the Internet)

Distribute these routes to other routers in the subscriber network using the subscriber's chosen internal routing protocol

Domain Name System (DNS):

The subscriber firewall is typically configured with a primary and secondary DNS server.

The firewall may then act as a local DNS proxy or a caching server for your local LANs. Or, it may pass along the primary and secondary DNS addresses as part of the information distributed by DHCP.

The subscriber primary network contact will be provided the best/closest DNS servers to use for resolving hostnames within the SCCo ARES/RACES network and the Internet.

Network Address Translation (NAT):

All traffic entering the SCCo ARES/RACES network will be filtered by source IP address. All traffic inbound to the SCCo ARES/RACES network from the subscriber network will need to be NAT'ed so that the source addresses are within the subscriber's assigned IP address range. Subscribers that need to use addresses outside of their assigned IP address range can configure either Masquerade NAT (with optional Destination NAT) or Source and Destination NAT.

Masquerade NAT

This is the most commonly used solution and it is available on even the most simple consumer firewalls.

The firewall sets the source address of all traffic exiting the firewall (heading into the SCCo ARES/RACES network) to the same IP address as the firewall's external address (the firewall's interface on the handoff subnet). The firewall keeps track of the different traffic streams and reverses the process for responses coming back.

Destination NAT

Subscribers may wish to make services within their networks available to other subscribers. For example, the subscriber may have a file server or web server or VoIP server that they wish to share with users from other cities connected to the SCCo ARES/RACES network. If so, Destination NAT can be configured on the subscriber firewall to map IP addresses and/or UDP/TCP port numbers to specific hosts.

Source and Destination NAT

This method is a bit more complicated to set up and may not be available on cheaper consumer firewalls. But it makes use of your services easier for users outside your network. The advantage is that users can access specific hosts using unique IP addresses.

Source NAT (for traffic from the subscriber network to the SCCo Network).

The subscriber configures firewall rules to convert the source address of specific hosts to unique IP address in the handoff subnet.

Destination NAT (for traffic from the SCCo Network to the subscriber network).

The subscriber configures firewall rules to convert specific destination address in the handoff subnet to the actual address of specific hosts in the subscriber's network.

Traffic Filtering

The SCCo ARES/RACES network will drop all attempts to make a new connection from the external, commercial Internet to subscriber nets. (Replies to sessions initiated from subscribers to the Internet are allowed.) This prevents a large percentage of attacks. But each subscriber is responsible for its own network security. In a similar manner, subscribers should filter inbound traffic to their network to protect against intrusion. The following general recommendations are provided as a framework to help network management get started. Each subscriber should consult with someone that is knowledgeable about network security and firewall configuration. (Note: the order of the rules below is important.)

Configure a default policy of "drop" for all traffic into your network from the handoff network interface

Anything you don't specifically allow will be dropped

Allow "established" connections

These are replies coming from sessions initiated outbound by your users

If you wish to allow addresses in the SCCo ARES/RACES core network to initiate connections to addresses in your network (such as to help you with diagnostics and troubleshooting):

You may want to also filter the destination address to restrict those connections to specific hosts on your network

You may also wish to filter the destination UDP/TCP port to restrict certain to certain allowed protocols

To test your filters, you can ask others on the TCP/IP user group list to try to connect to your server(s)

Anti-X, IPS

Anti-SPAM, Anti-virus, anti-malware, anti-... and other intrusion prevention mechanisms should be enabled, if they are available features in your firewall

This is important whether or not you enable inbound connections to your network.

Other than the Internet itself, the biggest security threat is from the various personal PCs that individuals may bring from home and plug into their city's ARES/RACES network and from users click on dangerous links. Better firewalls have advanced features to block malicious activity on the fly.

DNS Service

If you wish to have specific hostnames published in the SCCo ARES/RACES network domain name service (DNS) servers ...

Equipment and Software

Firewall

Subscribers are STRONGLY encouraged to install their own firewall between their network and the SCCo ARES/RACES network.

Even a basic consumer or small business firewall will provide sufficient protection for most situations

Of course, those with more advanced city-wide networks may need more advanced features found in business-class firewalls

Always ask permission from your city's IT department before installing or turning on the wireless function in your firewall (if it has one). You will be creating an additional penetration threat and you may interfere with their installed systems.

In most cases, the connection to the SCCo ARES/RACES network will be a single Ethernet jack. Except for UHF connections, you'll probably want more than one computer connected to the network. And you'll probably want to connect a network-shared printer and possibly other peripherals.

For most installations, a small 8-16 port desktop Ethernet switch will be ideal.

Select a switch that uses passive cooling for the least power consumption in case you have to run on batteries for a while.

Power

The TCP/IP radio, firewall, Ethernet switch and any other associated network equipment needs to be supported by an uninteruptable power source, just like your voice and packet radios. Otherwise, it the network equipment be down when everything else is down and it will not provide a viable emergency communications capability.

Physical Security

Subscribers should carefully control both login access and physically access to the above network equipment to prevent both human error and malicious attacks.

Conspicuously label all connections so it's clear which network they apply to.

Unsuspecting EOC/DOC users should be prevented from plugging into the wrong Ethernet jack by mistake.

And potentially malicious actors should be prevented from accessing our network.